Handling of Non-Integrity Protected Reject Messages in 5G

ABSTRACT

Methods and apparatus are provided for handling of non-integrity reject message in the 5G system. In one novel aspect, the UE upon receiving the reject message via one access without integrity protection, retries one or more other accesses for one or more times before treating the rejection genuine. In one embodiment, the UE attempts the same 5GMM procedure over another access in the same cell/tracking area (TA). The alternative access including other types of 3GPP access and non-3GPP access. Subsequently, the UE can search the service from another cell/TA or another PLMN. In one embodiment, if the UE receives reject cause invalidating the UE with one access without integrity protection, the UE tries the system a few times before treating the reject genuine by tracking an invalidating counter, which is increased by one each time the rejection is received with a cause value invalidating the UE.

CROSS REFERENCE TO RELATED APPLICATIONS

This application claims priority under 35 U.S.C. § 119 from U.S.Provisional Application No. 62/661,221 filed on Apr. 23, 2018, titled“Improvement to handling of non-integrity protected reject messages in5G,” the subject matter of which is incorporated herein by reference.

TECHNICAL FIELD

The disclosed embodiments relate generally to wireless communication,and, more particularly, to method for handling of non-integrityprotected reject messages in 5G.

BACKGROUND

The wireless communications network has grown exponentially over theyears. A Long-Term Evolution (LTE) system offers high peak data rates,low latency, improved system capacity, and low operating cost resultingfrom simplified network architecture. LTE systems, also known as the 4Gsystem, also provide seamless integration to the older wireless network,such as GSM, CDMA and Universal Mobile Telecommunication System (UMTS).The 3^(rd) generation partner project (3GPP) network normally includes ahybrid of 2G/3G/4G systems. With the development and deployment of the5G system (5GS), the 5GS allows multiple access, including 3GPP accessesand non-3GPP accesses, to the network. With the optimization of thenetwork design, many improvements have developed over the evolution ofvarious standards. With the development of the 5G system (5GS), the basestation/gNB would support enabling reduced UE bandwidth capabilitywithin a wideband carrier and enabling reduced UE power energyconsumption by bandwidth adaptation.

The main function of the Session Management (SM) for 2G/3G systems orEvolved Packet System (EPS) SM (ESM) for 4G systems is to support PacketData Protocol (PDP) context or EPS bearer handling of the user terminal.Upon receipt of the registration request message, the network may rejectthe request with a cause code. For different cause codes, the networkmay provide a retry mechanism for the user to resend the SM/ESM requestif certain conditions are satisfied. However, for some specific causecodes, the UE is not allowed to apply the retry mechanism and resendanother SM/ESM request unless the UE is switched off or the USIM isremoved. As a result, those cause codes create probably permanentrejection in providing data service to the user. The legacy system, suchas the evolved packet system (EPS), specifies protection mechanism toprotect the UE against a denial of service attack against mobileterminal from a fraudulent network. With the development of the 5GS, theUE could access the 5GS core network (CN) via 3GPP accesses and non-3GPPaccesses. The protection mechanism against a denial of service attackagainst mobile terminal from a fraudulent network does not exist for the5GS and requires considerations of the multiple access characteristicsof the 5GS.

SUMMARY

Methods and apparatus are provided for handling of non-integrity rejectmessage in the 5G system. In one novel aspect, in attempting the 5Gmobility management (5GMM) procedure to the core network (CN), the UEupon receiving the reject message via one access without integrityprotection, retries one or more other accesses for one or more timesbefore treating the rejection genuine. In one embodiment, the UEattempts the same 5GMM procedure over another access in the samecell/TA, if the UE can determine that an alternative access to the CN isprovided via the same cell/TA. The alternative access including othertypes of 3GPP access and non-3GPP access, such as the WiFi Access.Secondly, the UE can search the service from another cell/TA and thirdlythe UE can search another PLMN. In one embodiment, if the UE attempted5GMM procedure to the CN and receives reject cause invalidating the UEwith one access without integrity protection, the UE tries the systemfew times before treating the reject genuine by tracking an invalidatingcounter, which is increased by one each time the rejection is receivedwith a cause value invalidating the UE.

In one embodiment, the UE updates one or more corresponding rejectioncounters based on the first access network and the first PLMN, whereineach rejection counter counts a corresponding registration rejectionreceived without integrity protection and attempts a new Registrationrequest based on a registration rule. In one embodiment, theregistration rule allows the new Registration Request with a selectedaccess network and a selected PLMN upon determining one or moreregistration conditions are met based on a predefined registrationselection criterion, and wherein the selection criterion allows anon-3GPP network being selected. In one embodiment, registration ruleselects a qualified access network following a descending priority ordercomprising: selecting an available access network in a same cell or asame tracking area (TA) as the first access network, selecting anavailable access network in a different tracking area (TA) with a samePLMN as the first access network, and selecting an available accessnetwork in a different PLMN. In another embodiment, the registrationrule selects a qualified access network for the new registration requestfrom in 5GS or evolved packet system (EPS) following a descendingpriority order comprising: a same access network, a different 3GPPaccess network, and a non-3GPP access network. In yet anotherembodiment, a second access network is qualified if an updated rejectioncounter for the second access network is smaller than a preconfiguredmaximum value of registration for the second access network.

In one embodiment, one or more rejection counters include a retrycounter increased by one for each registration request sent by the UE.In another embodiment, the registration condition includes the retrycounter is smaller than a preconfigured maximum value of UE retrycounter. In one embodiment, the 5GS supports evolved packet system(EPS), and wherein the one or more rejection counters include aninvalidate counter that is updated for each registration rejection witha cause value indicating a non-integrity protected rejectioninvalidating the UE. In another embodiment, the UE only treats arejection as being genuine until the invalidate counter is greater thanor equal to a preconfigured maximum value of invalidate counter. In oneembodiment, upon receiving a registration accept message from the 5GS orthe EPS, the UE resets the one or more rejection counters.

Other embodiments and advantages are described in the detaileddescription below. This summary does not purport to define theinvention. The invention is defined by the claims.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, where like numerals indicate like components,illustrate embodiments of the invention.

FIG. 1 illustrates an exemplary 5G system 100 with 3GPP and non-3GPPaccess in accordance with one novel aspect.

FIG. 2 illustrates simplified block diagrams of a user equipment and abase station in accordance with embodiments of the current invention.

FIG. 3 illustrates exemplary diagrams for a 5G system with multipleaccess system and the UE access the network through different accesssystem in accordance with embodiments of the current invention.

FIG. 4 illustrates an exemplary diagram for a retry procedure inhandling the non-integrity protected reject message received by the UEin the 5GS in accordance with embodiments of the current invention.

FIG. 5 illustrates an exemplary flow diagram for a UE retry procedureupon receiving non-integrity protected reject messages before the UE isconsidered invalid in accordance with embodiments of the currentinvention.

FIG. 6 illustrates an exemplary flow diagram for a UE retry procedureupon receiving non-integrity protected reject messages and succeeds inregistration in accordance with embodiments of the current invention.

FIG. 7 illustrates an exemplary flow chart of the UE handlingnon-integrity protected rejection message in 5G system in accordancewith embodiments of the current invention.

DETAILED DESCRIPTION

Reference will now be made in detail to some embodiments of theinvention, examples of which are illustrated in the accompanyingdrawings.

FIG. 1 illustrates an exemplary 5G system 100 with 3GPP and non-3GPPaccess in accordance with one novel aspect. 5G system 100 is a PublicLand Mobile Network (PLMN) or an Equivalent Public Land Mobile Network(EPLMN) that supports one or more wireless radio network access (RAT)networks, including 3GPP networks, such a 5G, a 4G/LTE system, a 3Gsystem, and possibly a 2G system (not shown). Each of the 3GPP systemhas a fixed base infrastructure unit, such as wireless communicationsstations 102, forming wireless networks distributed over a geographicalregion. The base unit may also be referred to as a next generation NodeB(gNB), an access point, an access terminal, a base station, a NodeB, aneNodeB, or by other terminology used in the art. The 3GPP wireless basestation connects to access and mobility management function (AMF) unit121 for control plane operations. 3GPP base station 102 connects with asystem architecture evolution (SAE) gateway 111, which includes theserving gateway (S-GW) and the packet data network (PDN) gateway (P-GW)via the S1 interface. 3GPP base station 102 may also include a radionetwork controller (RNC). The RNC of the 3G system connects with aserving GPRS support node (SGSN), which is connected to SAE gateway 111.5GS 100 may also have a non-3GPP base station 103. Each of the wirelesscommunications stations 102 and 103 serves a geographic area. A non-3GPPbase station may be a WiFi access point (AP). UE 101 connects withnon-3GPP base station 103 via non-3GPP radio link protocols, such as theWiFi. Non-3GPP base station 103 connects with a non-3GPP interworkingfunction (IWF) unit 122 for control plane communications. Non-3GPP basestation 103 connects to non-3GPP access gateway 112 for data planecommunication with the network. In the 5GS 100, a PLMN/EPLMN 110 mayinclude the 3GPP network entities and non-3GPP network entities. The3GPP network entities in a PLMN may also include different systemprotocols.

FIG. 2 illustrates simplified block diagrams of a user equipment UE 201and a base station BS 202 in accordance with embodiments of the currentinvention. BS 202 has an antenna 226, which transmits and receives radiosignals. A RF transceiver module 223, coupled with the antenna, receivesRF signals from antenna 226, converts them to baseband signals and sendsthem to processor 222. RF transceiver 223 also converts receivedbaseband signals from processor 222, converts them to RF signals, andsends out to antenna 226. Processor 222 processes the received basebandsignals and invokes different functional modules to perform features inbase station 202. Memory 221 stores program instructions and data 224 tocontrol the operations of base station 202. Base station 202 alsoincludes a set of control circuits, such as a registration controller225 that carry out functional tasks for handling of non-integrityprotected reject message in 5G. These functions can be implemented insoftware, firmware and hardware.

Similarly, UE 201 has an antenna 235, which transmits and receives radiosignals. A RF transceiver module 234, coupled with the antenna, receivesRF signals from antenna 235, converts them to baseband signals and sendsthem to processor 232. RF transceiver 234 also converts receivedbaseband signals from processor 232, converts them to RF signals, andsends out to antenna 235. Processor 232 processes the received basebandsignals and invokes different functional modules to perform features inthe mobile station 201. Memory 231 stores program instructions and data236 to control the operations of the mobile station 201.

UE 201 also includes a set of control modules or circuits that carry outfunctional tasks. These functions can be implemented in software,firmware and hardware. A controller 290 supports handling ofnon-integrity protected reject message in 5G. A registration requestcircuit 291 transmits a Registration Request on a first access networkwith a first public land mobile network (PLMN), wherein the UE canaccess the 5GS core network (CN) through a plurality of access networksinclude one or more 3rd Generation Partner Project (3GPP) network and atleast one non-3GPP network. A registration response circuit 292 receivesa Registration Reject from the 5GS with a cause value indicating anon-integrity protected rejection invalidating the UE. A counter circuit293 updates one or more corresponding rejection counters based on thefirst access network and the first PLMN, wherein each rejection countercounts a corresponding registration rejection received without integrityprotection. A retry circuit 294 attempts a new Registration Requestbased on a registration rule, wherein the registration rule allows thenew Registration Request with a selected access network and a selectedPLMN upon determining one or more registration conditions are met basedon a predefined registration selection criterion, and wherein theselection criterion allows also a non-3GPP network being selected.

As illustrated in FIG. 1, the 5GS system may use multiple access to thenetwork including 3GPP access, such as E-UTRA and NR, and non-3GPPaccess, such as WiFi. The UE can connect to the network throughdifferent access system. In one novel aspect, when the UE receivesnon-integrity protected rejection messages, the UE will retry otheraccesses.

FIG. 3 illustrates exemplary diagrams for a 5G system with multipleaccess system and the UE access the network through different accesssystem in accordance with embodiments of the current invention. A UE 301is configured with access to a 5G system through multiple access systemsincluding 3GPP network, such as E-UTRA and NR, and non-3GPP network. Theexemplary 5G system is configured with multiple cells, each with one ormore base stations serving each cell. The base station may be a 3GPPbase station, such as base stations 311-314, 321-322, 331-334, and341-342 or a non-3GPP base station/AP, such as 315, 316, 323, 335 and343. The multiple base stations serving a geographic area may beoverlapped too. One or more the serving cells form a tracking area. Forexample, tracking area 310 includes cells served by 3GPP base stations311, 312, 313, 314 and non-3GPP APs 315 and 316. Similarly, trackingarea 320 includes cells served by 3GPP base stations 321, 322, andnon-3GPP AP 323. Tracking area 330 includes cells served by 3GPP basestations 331, 332, 334, and non-3GPP AP 335. Tracking area 340 includescells served by 3GPP base stations 341, 342, and non-3GPP AP 343. A PLMNmay be served by one or more tracking areas or one or more cells. Forexample, PLMN-1 351 includes tracking area 310 and 320. PLMN-2 352includes tracking area 330 and 340. As an example, UE 301 can be servedwith 3GPP base stations 311 and 312 in tracking area 310, 321 in trackarea 320 and 331 in tracking area 330. UE 301 can also be served bynon-3GPP base station/AP 315 in tracking area 310, 323 in tracking area320, and 335 in tracking area 335.

As shown in FIG. 3, since the UE in 5GS can be accessed the core networkover multiple accesses, such as E-UTRA, NR and non-3GPP, the handling ofnon-integrity protected reject message needs new considerations. The UE,upon receiving some fatal cause values that require the UE consider theUSIM invalid and thus causing a total denial of service for the UE,needs to consider other access options first. The procedure for handlingof the non-integrity protected reject messages needs to be modified forthe 5G mobility management (5GMM) purposes. The existing EPS solution,which is designed against rogue cell operations over E-UTRA, requiresimprovement for the 5GS which allows multiple accesses, such as E-UTRA,NR and non-3GPP.

FIG. 4 illustrates an exemplary diagram for a retry procedure inhandling the non-integrity protected reject message received by the UEin the 5GS in accordance with embodiments of the current invention. Inone novel aspect, the UE retries other accesses to the 5GS uponreceiving non-integrity protected reject message. In one embodiment, ifthe UE attempted 5GMM procedure to the core network (CN) and receivesreject cause #3, #6, #7, #8 (or another cause invalidating the UE) viaone access without integrity protection and if the UE supports and thenetwork offers an alternative access to the CN then allow the UE to tryanother access(es) few times before treating the reject genuine. Thismeans that in the first phase the UE could attempt the same 5GMMprocedure over another access in the same cell/TA, if the UE candetermine that an alternative access to the CN is provided via the samecell/TA. Secondly the UE can search the service from another cell/TA andthirdly the UE can search another PLMN. In another embodiment, when theUE operating in 5GS can support also EPS, retries are performed throughother accesses. If the UE attempted 5GMM procedure to the CN andreceives reject cause #3, #6, #7, #8 (or another cause invalidating theUE) via one access without integrity protection and if the UE supportsand the network offers also access to different system (EPS, orGERAN/UTRAN) then allow the UE to try the system few times beforetreating the reject genuine. In the 5GS system, reception of causevalues #3, #6 (i.e. illegal UE/ME) in a 5GMM reject message requires theUE to consider the USIM invalid and this means a total denial of servicewhen received from the network. Reception of cause #8 in a 5GMM rejectmessage means the UE has no access to 5GS (N1 mode must be disabled) andthe UE has to search other systems/accesses for service. If the UE doesnot support other than 5GS then this can mean also total denial ofservice. Other cause values in the 5GMM, which results in denial ofservice, may also need the retry procedure to protect the UE.

A retry procedure is configured for the UE upon receiving non-integrityprotected reject message. The retry procedure can be configured with apriority rule for the target cell/base station for the retry. Suchpriority rule can be predefined or preconfigured. The priority rule canalso be dynamically updated. The UE applies the priority rule based onthe existing access of the UE to the network. First, at step 401, the UEdetermines that the UE supports multiple-access and the 5GMM supportsmultiple-access. The multiple-access supports includes supporting morethan one access methods including an E-UTRA, an NR, and a non-3GPPaccess. Upon detecting a Registration Reject message from the network,the UE determines whether it is a non-integrity protected reject messagewith a preconfigured cause value, such as cause values #3, #6, #7, and#8. Other cause value may also trigger the retry procedure. Thetriggering value of the retry procedure can be preconfigured orpredefined by the network or the operator. The triggering value of theretry procedure can also be dynamically updated. Upon detecting thenon-integrity protected reject message with a preconfigured cause value,the UE applies a priority rule in selecting a retry target. At step 411,the UE first retry a base station with the same access and is in thesame cell or in the same tracking area (TA). If step 411 fails tosuccessfully register, the UE moves to step 421. At step 421, the UEretries with a different access in the same cell or the same TA. Forexample, if the UE is currently accessing the network with a 3GPPaccess, the UE first retry a base station with the same 3GPP access inthe same cell or the same TA. If it fails to register, the UE wouldretry a base station with a different 3GPP access if there exists one,otherwise, the UE would retry a non-3GPP access. If step 421 fails, theUE, at step 431, would retry access with base station in a differentcell or a different TA with the same PLMN. In step 431 fails, the UE, atstep 441, would retry a base station with a different PLMN. In selectinga base station in a different cell, a different TA or a different PLMN,the UE would prioritize the same access as the original access over adifferent access.

The retry procedure in handling the non-integrity protected rejectmessage for the UE in 5GS protects the UE against a denial of serviceattack. In one embodiment, one or more rejection counters are configuredfor the retry procedure. The UE updates the one or more rejectioncounters in the retry procedure upon each reception of non-integrityprotected reject message. The UE resets the one or more rejectioncounters upon successful registration.

FIG. 5 illustrates an exemplary flow diagram for a UE retry procedureupon receiving non-integrity protected reject messages before the UE isconsidered invalid in accordance with embodiments of the currentinvention. A UE 501 in a 5GS is configured to access the CN throughmultiple accesses. The 5GS is configured with multiple accessesincluding 3GPP and non-3GPP accesses. UE 501 can access the 5GS CN viaAMF 502 in a PLMN with NR, AMF 503 in a PLMN with non-3GPP, AMF 504 in aPLMN with ETRAN, AMF 505 in a PLMN with LTE. At step 511, UE sends aregistration request to AMF 502 with NR. At step 512, UE 501 receivesRegistration Reject from AMF 502 with NR. The Registration Rejectmessage is non-integrity protected and the cause value is one selectedfrom a predefined cause value set. The cause value set for 5GMM includescause values #3, #6, #7, and #8. The cause value set may include othercause values. In one embodiment, the cause value set can be dynamicallyupdated. Upon receiving the Registration Reject in step 512, the UE, atstep 513, leaves the current access NR and increase a rejection counterby one. In one embodiment, the rejection counter is a counter trackingall registration reject message before a registration accept. In anotherembodiment, a separate rejection counter may also be configured for eachtype of access, or for each cell/TA/PLMN. At step 513, the UE determinesif the maximum value of one or more rejection counter is reached. Ifnot, the UE at step 521, sends a registration request to AMF 504 withETRAN. AMF 504 with ETRAN is selected following a priority rule forselection, which is detailed and illustrated in FIG. 4. At step 522, theUE receives a non-integrity protected Registration Reject message. Atstep 523, UE 501 leaves access ETRAN and increase a rejection counter.If each rejection counter is smaller than the preconfigured maximumvalue for each corresponding rejection counter, the UE selects anotheraccess for the retry. At step 531, the UE sends a Registration Requestto AMF 503 with non-3GPP. At step 532, the UE receives a non-integrityprotected Registration Reject message. At step 533, the UE leaves thenon-3GPP access and increase one or more corresponding rejectioncounters. If each rejection counter is smaller than a correspondingmaximum value for the rejection counter, the UE selects a new access forretry. At step 541, the UE sends a Registration Request to AMF 505 forLTE. At step 542, the UE receives a non-integrity protected RegistrationReject message. At step 551, the UE increase one or more rejectioncounters and detects at least one rejection counter is greater than amaximum value for the rejection counter. Subsequently, at step 560, theUE considered the USIM invalid. In one embodiment, a invalidate counteris configured for the UE. UE only treats a rejection as being genuineuntil the invalidate counter is greater than or equal to a preconfiguredmaximum value of invalidate counter. The invalidate counter isupdated/increased by one for each registration rejection with a causevalue, such as cause value #3, #6, #7, or #8 in 5GMM, indicating anon-integrity protected rejection invalidating the UE.

FIG. 6 illustrates an exemplary flow diagram for a UE retry procedureupon receiving non-integrity protected reject messages and succeeds inregistration in accordance with embodiments of the current invention. AUE 601 in a 5GS is configured to access the CN through multipleaccesses. The 5GS is configured with multiple accesses including 3GPPand non-3GPP accesses. UE 601 can access the 5GS CN via AMF 602 in aPLMN with NR, AMF 603 in a PLMN with non-3GPP, AMF 604 in a PLMN withETRAN, AMF 605 in a PLMN with LTE. At step 611, the UE sendsregistration request to AMF 602 with NR. At step 612, UE 601 receivesRegistration Reject from AMF 602 with NR. The Registration Rejectmessage is non-integrity protected and the cause value is one selectedfrom a predefined cause value set. The cause value set for 5GMM includescause values #3, #6, #7, and #8. The cause value set may include othercause values. In one embodiment, the cause value set can be dynamicallyupdated. Upon receiving the Registration Reject in step 612, the UE, atstep 613, leaves the current access NR and increase a rejection counterby one. In one embodiment, the rejection counter is a counter trackingall registration reject message before a registration accept. In anotherembodiment, a separate rejection counter may also be configured for eachtype of access, or for each cell/TA/PLMN. At step 613, the UE determinesif the maximum value of one or more rejection counter is reached. Ifnot, the UE at step 621, sends a registration request to AMF 604 withETRAN. AMF 604 with ETRAN is selected following a priority rule forselection, which is detailed and illustrated in FIG. 4. At step 622, theUE receives a non-integrity protected Registration Reject message. Atstep 623, UE 601 leaves access ETRAN and increase a rejection counter.If each rejection counter is smaller than the preconfigured maximumvalue for each corresponding rejection counter, the UE selects anotheraccess for the retry. At step 631, the UE sends a Registration Requestto AMF 603 with non-3GPP. At step 632, the UE receives a non-integrityprotected Registration Reject message. At step 633, the UE leaves thenon-3GPP access and increase one or more corresponding rejectioncounters. If each rejection counter is smaller than correspondingmaximum value for the rejection counter, the UE selects a new access forretry. At step 641, the UE sends a Registration Request to AMF 605 forLTE. At step 642, the UE receives a Registration Accept message. The UEis successfully registered with the 5GS through AMF 505 with LTE. Atstep 651, the UE resets all rejection counters. At step 660, the USIM isconsidered to be valid.

FIG. 7 illustrates an exemplary flow chart of the UE handlingnon-integrity protected rejection message in 5G system in accordancewith embodiments of the current invention. At step 701, the UE transmitsa Registration Request in a 5G system (5GS) on a first access networkwith a first PLMN, wherein the UE can access the 5GS core network (CN)through a plurality of access networks include one or more 3rdGeneration Partner Project (3GPP) network and at least one non-3GPPnetwork. At step 702, the UE receives a Registration Reject from the 5GSwith a cause value indicating a non-integrity protected rejectioninvalidating the UE. At step 703, the UE updates one or morecorresponding rejection counters based on the first access network andthe first PLMN, wherein each rejection counter counts a correspondingregistration rejection received without integrity protection. At step704, the UE attempts a new Registration Request based on a registrationrule, wherein the registration rule allows the new Registration Requestwith a selected access network and a selected PLMN upon determining oneor more registration conditions are met based on a predefinedregistration selection criterion, and wherein the selection criterionallows a non-3GPP network being selected.

Although the present invention has been described in connection withcertain specific embodiments for instructional purposes, the presentinvention is not limited thereto. Accordingly, various modifications,adaptations, and combinations of various features of the describedembodiments can be practiced without departing from the scope of theinvention as set forth in the claims.

What is claimed is:
 1. A method, comprising: transmitting a RegistrationRequest by a user equipment (UE) in a 5G system (5GS) on a first accessnetwork with a first public land mobile network (PLMN), wherein the UEcan access the 5GS core network (CN) through a plurality of accessnetworks include one or more 3rd Generation Partner Project (3GPP)network and at least one non-3GPP network; receiving a RegistrationReject from the 5GS with a cause value indicating a non-integrityprotected rejection invalidating the UE; updating one or morecorresponding rejection counters based on the first access network andthe first PLMN, wherein each rejection counter counts a correspondingregistration rejection received without integrity protection; andattempting a new Registration Request based on a registration rule,wherein the registration rule allows the new Registration Request with aselected access network and a selected PLMN upon determining one or moreregistration conditions are met based on a predefined registrationselection criterion, and wherein the selection criterion allows anon-3GPP network being selected.
 2. The method of claim 1, wherein theregistration rule selects a qualified access network following adescending priority order comprising: selecting an available accessnetwork in a same cell or a same tracking area (TA) as the first accessnetwork, selecting an available access network in a different trackingarea (TA) with a same PLMN as the first access network, and selecting anavailable access network in a different PLMN.
 3. The method of claim 2,wherein the registration rule selects a qualified access network for thenew registration request from in 5GS or evolved packet system (EPS)following a descending priority order comprising: a same access network,a different 3GPP access network, and a non-3GPP access network.
 4. Themethod of claim 3, wherein a second access network is qualified if anupdated rejection counter for the second access network is smaller thana preconfigured maximum value of registration for the second accessnetwork.
 5. The method of claim 1, wherein the one or more rejectioncounters include a retry counter increased by one for each registrationrequest sent by the UE.
 6. The method of claim 5, wherein theregistration condition includes the retry counter is smaller than apreconfigured maximum value of UE retry counter.
 7. The method of claim1, wherein the 5GS supports evolved packet system (EPS), and wherein theone or more rejection counters include an invalidate counter that isupdated for each registration rejection with a cause value indicating anon-integrity protected rejection invalidating the UE.
 8. The method ofclaim 7, wherein the UE only treats a rejection as being genuine untilthe invalidate counter is greater than or equal to a preconfiguredmaximum value of invalidate counter.
 9. The method of claim 1, furthercomprising: subsequently receiving a Registration Accept from the 5GS orevolved packet system (EPS); and reset the one or more rejectioncounters.
 10. The method of claim 1, wherein the non-3GPP access networkis a WLAN network.
 11. A user equipment (UE), comprising: one or moreradio frequency (RF) transceivers that transmits and receives radiosignals in one or more corresponding radio networks in a 5G system(5GS); a registration request circuit that transmits a RegistrationRequest on a first access network with a first public land mobilenetwork (PLMN), wherein the UE can access the 5GS core network (CN)through a plurality of access networks include one or more 3rdGeneration Partner Project (3GPP) network and at least one non-3GPPnetwork; a registration response circuit that receives a RegistrationReject from the 5GS with a cause value indicating a non-integrityprotected rejection invalidating the UE; a counter circuit that updatesone or more corresponding rejection counters based on the first accessnetwork and the first PLMN, wherein each rejection counter counts acorresponding registration rejection received without integrityprotection; and a retry circuit that attempts a new Registration Requestbased on a registration rule, wherein the registration rule allows thenew Registration Request with a selected access network and a selectedPLMN upon determining one or more registration conditions are met basedon a predefined registration selection criterion, and wherein theselection criterion allows a non-3GPP network being selected.
 12. The UEof claim 11, wherein the registration rule selects a qualified accessnetwork following a descending priority order comprising: selecting anavailable access network in a same cell or a same tracking area (TA) asthe first access network, selecting an available access network in adifferent tracking area (TA) with a same PLMN as the first accessnetwork, and selecting an available access network in a different PLMN.13. The UE of claim 12, wherein the registration rule selects aqualified access network for the new registration request from in 5GS orevolved packet system (EPS) following a descending priority ordercomprising: a same access network, a different 3GPP access network, anda non-3GPP access network.
 14. The UE of claim 13, wherein a secondaccess network is qualified if an updated rejection counter for thesecond access network is smaller than a preconfigured maximum value ofregistration for the second access network.
 15. The UE of claim 11,wherein the one or more rejection counters include a retry counterincreased by one for each registration request sent by the UE.
 16. TheUE of claim 15, wherein the registration condition includes the retrycounter is smaller than a preconfigured maximum value of UE retrycounter.
 17. The UE of claim 11, wherein the 5GS supports evolved packetsystem (EPS), and wherein the one or more rejection counters include aninvalidate counter that is updated for each registration rejection witha cause value indicating a non-integrity protected rejectioninvalidating the UE.
 18. UE of claim 17, wherein the UE only treats arejection as being genuine until the invalidate counter is greater thanor equal to a preconfigured maximum value of invalidate counter.
 19. TheUE of claim 11, wherein registration response circuit subsequentlyreceives a Registration Accept from the 5GS, and the counter circuitresets the one or more rejection counters.
 20. The UE of claim 11,wherein the non-3GPP access network is a WLAN network